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LOCKS, LIES, and “HIGH” 
INSECURITY 


MEDECO HIGH SECURITY: 


UL, BHMA/ ANSI, VdS Certified 

High level of protection against attack 
Picking: 10-15 minute-resistance 

No bumping 

Forced Entry: 5 minutes, minimum 


Key control 
— Protect,restricted and proprietary keyways 
— Stop duplication, replication, simulation of keys 
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HIGH SECURITY LOCKS: 


MEDECO HISTORY 


WHY THE MEDECO CASE 
STUDY IS IMPORTANT 


CONVENTIONAL v. 
HIGH SECURITY LOCKS 


ATTACK METHODOLOGY 


Assume and believe nothing 

Ignore the experts 

Think “out of the box” 

Consider prior methods of attack 
Always believe there is a vulnerability 
WORK THE PROBLEM 


— Consider all aspects and design parameters 
— Do not exelude any*solution 
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HIGH SECURITY LOCKS: 
Critical Design Issues 


HIGH SECURITY: 
Three Critical Design Factors 


BYPASS AND REVERSE 
ENGINEERING 


SYSTEM BYPASS 


SECONDARY SECURITY 
LAYERS 


LAYERS OF SECURITY 
AND BYPASS CAPABILITY 


How many 

Ability to. exploit design feature? 
Integrated 

Separate 


— Primus = 2 levels, independent} complex locking 
of secondary finger pins 


— Assa= 2 levels, independent, simple locking, one 
level 
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EXPLOITING 
FEATURES 


Codes: design, progression 

Key bitting design 

Tolerances 

Keying rules 

— Medeco master and non-master key systems 


Interaction of critical components and locking 
systems 


Keyway and plug design 
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EXPLOITING 
TOLERANCES 


sidebar locking: Medeco 10 v. 20 degree 
Relation, to codes 
Simulation of codes: Wedeco 


Reverse engineer code progression of 
system from one or more keys? 

— Master key conventional v. positional system 
— Difficulty = replication of keys 

— Medecov. MCS-as.example 
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ATTACKS: 
Two Primary Rules 


¢ “The Key never unlocks the lock’ 
— Mechanical bypass 


Alfred C. Hobbs: “If you can feel one 
component against the other, you Can 
derive information and open the lock.” 
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METHODS OF ATTACK: 
High Security Locks 


ADDITIONAL METHODS OF 
ATTACK 


oplit key, use sidebar portion to set 
code 


Simulate sidebar code 


Use of key to probe depths and 
extrapolate 


Rights amplification of key 
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KEY CONTROL 


KEY CONTROL and “KEY 
SECURITY” 


¢ Duplicate 
¢ Replicate 
¢ Simulate 


“Key control” and “Key Security’ may not 
be synonymous! 
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KEY SECURITY: A Concept 


Key control = physical control of keys 
Prevent manufacture and access to blanks 
Control generation of keys by code 

Patent protection 

Key security = compromise of keys 

— Duplication 

— Repliceation 

— Simulation 
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KEYS: CRITICAL ELEMENTS 


Length = number of pins/sliders/disks 
Height of blade = depth increments = differs 
Thickness of blade =keyway design 
Paracentric design 

Keyway modification to accommodate other 
security elements 

— Finger.pins 

— Sliders 
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KEY CONTROL: 
Critical issues 


¢ Simulation of code or key components 
¢ Security of locks = key control and\key 
security 


— All bypass techniques simulate actions of 
key 


— Easiest way to open a lock is with the key 
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KEY CONTROL and “KEY 
SECURITY ISSUES 


KEY CONTROL: 
Design Issues 


DUPLICATION AND 
REPLICATION OF KEYS 


COVERT and FORCED 
ENTRY RESISTANCE 


STANDARDS 
REQUIREMENTS 


CONVENTIONAL PICKING 


TOBIAS DECODER: 
“Crackpot@security.org” 
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DECODERS 


DECODE PIN ANGLES 


FORCED ENTRY 
RESISTANCE 


FORCED ENTRY ATTACKS: 
Deficiencies in standards 


SIDEBAR: 


Bypass and Circumvention 
¢ Direct Access 


— Decoding attacks 
— Manipulation 


— Simulate the sidebar code (Medeco) 
— Use of a key (Primus and Assa) 
¢ Indirect access 


— Medeco borescope and otoscope decode 
issues 
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SIDEBAR AT TACK: 
Physical Strength 


FORCED ENTRY ATTACKS 


¢ Direct compromise of critical components 
— Medeco deadbolt 1 and 2 manipulate tailpiéce 
¢ Hybrid attack: two different modes 
— Medeco reverse picking 
¢ Defeat of one security layer: kesult 


— Medeco Mortise and rim cylinders, defeat shear 
line 
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MEDECO HIGH SECURITY: 
Lessons to be learned 


¢ What constitutes security 
¢ Lessons for design engineers 
¢ Appearance v. reality 
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MEDECO CASE HISTORY 


MEDECO MISTAKES 


Failed to listen 
Embedded design problems from beginning 


Compounded problems-with new designs 
with two new generations: Biaxial and m3 


Failed to “connect the dots” 
Failure of imagination 
Lack of understanding of bypass techniques 
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DESIGN = 
VULNERABILITIES 


Basic design: sidebar legs + gates 
— How they work: leg + gate interface 
— Tolerance of gates 


Biaxial code designation 

Biaxial pin design: aft position decoding 
M3 slider: geometry 

M3 keyway design 

Deadbolt design 
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MEDECO DESIGN: 
Exploit design vulnerabilities 


MEDECO DESIGNS: 
More vulnerabilities 


Biaxial pin design: fore and aft positions 
Borescope decode of aft angles 


Introduction of Bilevela 2006 
Compromise by decoding 
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MEDECO TIMELINE 


¢ 1970 Original Lock introduced 
¢ 1985 Biaxial, Second generation 
¢ 2003 m3 Third generation 
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August 2006: Bump Proof 


About Medeco - MEDECO - THE BUMP PROOF LOCK 


: IM http: / ;web.archive.org/web/20061016161749/www.medeco.com/about/whats_new/ ¥ [> KG 4 


What's New 

Map & Directions 
Training Schedule 
Careers At Medeco 


Trade Show 
Schedule 


Become a Medeco 
Dealer 


NCPC Projects 


Learn about Product 
Maintenance 


CUNLAUL: AND WiccUragy | 
859-689-5753 
amccrady @medeco.com 


Medeco Combats the Bump Key 
Law Enforcement and Security Dealers Educated in standard lock risks 


Salem, Va., August 4, 2006 ? ?Security flaw in your locks?? asks a recent Newsweek.com headline. The 
term ?Hackers? is typically associated with those who attempted to break into computer systems. Now 
Hackers are people attempting to defeat a wide range of protected systems ? including the locks on your 
doors. 


Medeco, the industry?s leading high security lock manufacturer, has expanded its? acclaimed educational 
training module to explain the vulnerability that many locks face to a bumping attack. This training is offered 
to Crime Prevention associations and security dealers. 


Medeco is commonly known as a ?bump proof lock? by those who view picking as a sport. Standard locks 
utilize a single locking point, while high security locks such as Medeco utilize multiple locking technologies. 
To see why Medeco is not vulnerable to this type of attack, a short video is available at www.medeco.com 
in the Interactive Security Solutions link. 


According to statistics provided by the National Crime Prevention Council (NCPC) and the Department of 
Justice, nearly 2/3 of all break-ins occur with no sign of forced entry. While some of these crimes may be a 
result of an unlocked door, most experts agree that lock bumping, picking or use of an unauthorized 
duplicate key are often the case. 


?This should provide the economic motivation for a consumer to pay a bit more for quality high security 
locks for their home or business that protect everything they own,? according to Clyde Roberson, Director 
of Technical Services at Medeco Security Locks. 7Bumping is a vulnerability to many standard locks, and 
that?s why we educate the experts on proper steps that can be taken to minimize the risk. Not all locks can 
be bumped; consumers just need to know the differences.? 


Home and business owners may contact the National Crime Prevention Council at 1-202-466-6272, or 
wWw.ncpc.org, to request a copy of 7Locking Your Home, What To Know Before Buying Locks For Your 
Home.? or 7A Safe Workplace is Everybody?s Business.? Additionally, Medeco residential and commercial 
product information, including authorized Medeco dealers, can be found at www.medeco.com. 


Hithit 


Proxy: None 


Feb 2007:Virtually BumpProof 


About Medeco - MEDECO - Combating the Bump Key 


(* @ http: //www.medeco.com/about/whats_new/pr/bump.htm! 


Whos ivwow 


Medeco Combats the Bump Key 
Map & Directions Law Enforcement and Security Dealers Educated in standard lock risks 


Training Schedule Salem, Va., August 4, 2006 - ‘Security flaw in your locks?’ asks a recent Newsweek.com headline. The 
term “Hackers” is typically associated with those who attempted to break into computer systems. Now 
Hackers are people attempting to defeat a wide range of protected systems - including the locks on your 
doors. 


Careers At Mececo 


Trace Show Schecule 


Medeco, the industry’s leading high security lock manufacturer, has expanded its’ acclaimed educational 
training module to explain the vulnerability that many locks face to a bumping attack. This training is 
NCPC Projects offered to Crime Prevention associations and security dealers. 


Become a Mececo Dealer 


Learn about Product Medeco is commonly known as a virtually bump proof lock by those who view picking as a sport. Standard 

Maintenance locks utilize a single locking point, while high security locks such as Medeco utilize multiple locking 
technologies. To see why Medeco is not vulnerable to this type of attack, a short video is available at 
wwiw.medeco.com in the Interactive Security Solutions link. 


According to statistics provided by the National Crime Prevention Council (NCPC) and the Department of 
Justice, nearly 2/3 of all break-ins occur with no sign of forced entry. While some of these crimes may be 
a result of an unlocked door, most experts agree that lock bumping, picking or use of an unauthorized 
duplicate key are often the case. 


“This should provide the economic motivation for a consumer to pay a bit more for quality high security 
locks for their home or business that protect everything they own,” according to Clyde Roberson, Director 
of Technical Services at Medeco Security Locks. “Bumping is a vulnerability to many standard locks, and 
that’s why we educate the experts on proper steps that can be taken to minimize the risk. Not all locks 
can be bumped; consumers just need to know the differences.” 


Home and business owners may contact the National Crime Prevention Council at 1-202-466-6272, or 
Wiww..ncpc.org, to request a copy of “Locking Your Home, What To Know Before Buying Locks For Your 
Home.” or “A Safe Workplace is Everybody’s Business.” Additionally, Medeco residential and commercial 
product information, including authorized Medeco dealers, can be found at www.medeco.com. 
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MEDECO LOCKS: 
Why are they Secure? 


MODERN PIN TUMBLER 
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MEDECO BIAXIAL 


MEDECO LOCKS: 


3 Independent Layers 


¢ Layer 1: PIN TUMBLERS to shear line 
¢ Layer 2: SIDEBAR: 3 angles x 2 positions 
¢ Layer 3: SLIDER — 26_positions 


Opened By; 
Lifting the pins to sheaf line 
Rotating each pin individually 
Moving the slider to correct position 
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MEDECO TWISTING PINS: 
3 Angles + 2 Positions 


MEDECO ROTATING 
TUMBLE 
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SIDEBAR Technology 


Block rotation of the plug 

One or two sidebars 

Primary or secondary-locking 

Only shear line or secondaky 

Integrated or separate systems 

— Assa, Primus , MT5 (M5), MCS= split 

— Medeco and 3KS = integrated 

Direct ofindirect relationship and access by 
key bitting 
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SIDEBAR LOCKING: 
How does It work 


One or two sidebars 
Interaction during plug rotation 
Direct or indirect block.plug rotation 


Sidebar works in which modes 

— Rotate left or right 

— Pull or push 

Can sidebar be neutralized: ive. Medeco 
— Setting:sidebar code 

— Pull plug forward, not turn 
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SIDEBAR LOCKING 
DESIGN: Information. from 
the lock? 


SIDEBAR CODING 


Total number: real and theoretical 
Restrictions and conflicts 
Rules to establish 


Can we use rules to break system 
— Medeco TMK multiple 
— Assa.V10 multiplex coding 
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SECURITY CONCEPTS: 
Sidebar “IS” Medeco Security 


PLUG AND SIDEBAR: 
All pins aligned 


SIDEBAR RETRACTED 


=r 


= 
Oe DTT OYOTOE) ch 
Se ee ee ee ~~ 

° 


————— 


PLUG AND SIDEBAR: Locked 
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MEDECO CODEBOOK: 
At the heart of security 


KEY CODES: 
Vertical Bitting and Sidebar 


MEDECO RESEARCH: 
Results of Project 


RESULTS OF PROJECT: 
Bumping 


Reliably bump open Biaxial and m3 
locks 


Produce bump keys*orn. Medeco blanks 


and simulated blanks 
Known sidebar code 
Unknown sidebar code 
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MEDECO BUMP KEY 


RESULTS OF PROJECT: 
Key Control and Key Security 


SIMULATED BLANKS: Any 
m3 and Many Biaxial Locks 


SIMULATED BLANKS 
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M3 SLIDER: 
Bypass with a Paper clip 


m1 4 
> | 


SECURITY OF m3: 


A paperclip can be 
a wonderous thing 
More times than! 
can remember one 
of these has gotten 
me out of a tight 
spot.” 


RESULTS OF PROJECT: 
Picking 


PICKING A MEDECO.LOCK 
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Video Demo: 


¢ Picking Medeco Locks 
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RESULTS OF PROJECT: 
Decode Top Level Master Key 


RESULTS OF PROJECT: 
Forced Entry Techniques 


DEADBOLT ATTACK 


DEADBOLT BYPASS: 2$ 
Screwdriver + $.25 materials 


Video Demo: 


¢ Deadbolt Bypass 
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MORTISE CYLINDER 


MORTISE ATTACK 
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Video Demo: 


¢ Mortise Cylinder Bypass 
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CONNECTING THE DOTS 


¢ CRITICAL FAILURES 
* Original > Biaxial 
— pin design 
— code assignment 
¢ Biaxial -> m3 design 
— M8 slider geometry = .040° offset 
— Key simulation 
— .007° Keyway widening 
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MORE DOTS! 


FORCED ENTRY 

Original Deadbolt design 

Fatal design flaw: 30 Seconds bypass 
Later deadbolt designs: new attacks 
Mortise and rim cylinders 

Inherent design problem: .065° plug 
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MORE DOTS: 
BILEVEL LOCK 


CONNECTING THE DOTS: 
The Results 


4 KEYS TO THE KINGDOM 
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Video Demo: 


¢ Code Setting Keys 
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Video Demo: 


¢ Bump Proof... 
¢ Virtually Bump Proof... 
¢ Virtually Bump Resistant... 
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LESSONS TO BE LEARNED 


Patents do not assure security 

Apparent security v. actual security 

40 years of invincibility*agans nothing 

New methods of attack 

Corporate arrogance and misrepresentation 
“If it wasn't invented here” mentality 

All mechanicalNocks have vulnerabilities 
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COUNTERMEASURES: 
Primary Design Rules 


Video Demo 


¢ Bypass...Medeco Gen4 
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